How to deploy DNSSEC now

By Drew Reinders

Nov 13, 2015

It is no secret that the federal government has become a target for cyberattacks. One need only look back to recent breaches at the Office of Personnel Management and the Social Security Administration to know that citizen data held by government agencies is an irresistible prize for hackers. As federal agencies seek to shore up their cybersecurity defenses, they need to recall the long-passed deadlines on mandates to secure their domain name system by implementing DNS Security Extensions (DNSSEC).

It has been over six years since the Office of Management and Budget mandated DNSSEC adoption for federal agencies. This extra security layer is meant to increase the security of the Internet by addressing DNS security weaknesses and helping to alleviate the threat of DNS cache poisoning.

DNS cache poisoning – also known as DNS spoofing – is a type of cyberattack that takes advantage of vulnerabilities in the DNS to divert Internet traffic from a legitimate website to a malicious site that could deliver malware and/or steal personal or sensitive information. This type of attack is particularly dangerous because one successful cache poisoning attack can affect countless users by providing the wrong answer for future DNS queries.

The solution to this problem lies in DNSSEC, which adds data origin authentication and data integrity protection to the DNS by allowing organizations to sign their DNS records using public-key cryptography. It ensures that a client will know if a DNS response is legitimate or if it has been compromised. While most agencies have implemented DNSSEC to the top-level .gov domain as required by the federal OMB mandate, most have not met the mandate for signing second-level domains in the .gov namespace.

Why is this a problem?

Consider distributed denial of service attacks. DDoS attacks are on the rise, as evidenced by the most recent State of the Internet – Security Report. DDoS attacks have doubled year over year for the past three quarters. These attacks are attempts to make a computer resource or network unavailable to users. The targeted system becomes overwhelmed with massive amounts of unsolicited data or traffic and either becomes unusable or crashes completely. Groups of computer criminals use DDoS attacks as a means of extortion, to gain media attention and notoriety from peer groups or to damage reputations and cause service disruptions. DDoS attacks are also often used as a distraction when other, more serious, attacks are occurring, such as data exfiltration. In addition, DDoS attacks are popular for acts of hactivism, which are becoming more common.

DNSSEC provides a solution. The fast DNS ensured by DNSSEC provides a highly scalable DNS platform with sufficient capacity to absorb the largest DDoS attacks while responding to legitimate user requests, so agencies can maintain user access to faster online experiences even when under attack.

DNSSEC should be a cybersecurity priority

As federal agencies get audited, they are being asked why they are not fully compliant with the mandate. That is making chief information security officers more eager to put DNSSEC in place. While some agencies look to self-build to save money, this can be a difficult path unless there are deep technical specialists on staff. DNSSEC is offered as a managed service, and there are DNSSEC appliances that can automate the process.

In order to select the best DNSSEC solution, federal CISOs should ensure it meets the following requirements:

High availability: Look for a wide distribution of thousands of DNS servers in hundreds of points of presence worldwide to provide a high level of DNS service availability. Agencies should pick a globally distributed network that will accelerate DNS resolutions for users connecting to sites and applications from anywhere in the world.

Fast responses: Be sure to choose a solution that will direct users to a high performing DNS server based on network conditions to improve responsiveness of the agency’s DNS infrastructure. This solution should come with a 100-percent uptime service level agreement, providing agencies with confidence that citizens and employees can connect to their website and application servers.

FedRAMP certified: Agencies should be sure to select a provider that has received certification from the Federal Risk and Authorization Management Program, which standardizes the approach to security assessment, authorization and continuous monitoring for cloud products and services.

In today’s hostile cyber environment, agencies will never know from where the next attack will come. But the next attack is certainly on its way, if not already impacting government networks. Agencies need to deploy every weapon in their cyber arsenal, and full DNSSEC implementation should be on that list.

About the Author

Drew Reinders (GSEC), a 5-year Akamai veteran, initially joined Akamai within the Professional Services organization. He was responsible for the technical design, implementation, support and overall customer satisfaction of multiple US Civilian Agencies. Presently Drew is a Principle Solutions Engineer with a focus to supplement the Sales team from a technical perspective and prescribe the optimal solution based on the customer’s business need.